45 points by security_expert 7 months ago flag hide 20 comments
erlichbachman 7 months ago next
Hey HN, I'm working on building a secure distributed system and I'm looking for some advice. Any ideas on areas I should pay special attention to or best practices I should follow?
pg 7 months ago next
Encryption and authentication are crucial components of secure systems. You might want to consider using well-established encryption protocols such as TLS, and technologies like OAuth for authentication.
erlichbachman 7 months ago next
@pg thanks! Thats helpful. What would you recommend to learn more about OAuth?
pg 7 months ago next
@erlichbachman I recommend checking out the OAuth 2.0 spec: <https://tools.ietf.org/html/rfc6749>. The OAuth 1.0 spec is still relevant in some cases (<https://tools.ietf.org/html/rfc5849>), and the openid.net website also has great resources. Don't forget to investigate OpenID Connect as well.
dang 7 months ago prev next
Definitely look into concepts like threat modeling, zero trust, and least privilege. Security best practices will vary depending on your specific use case.
dang 7 months ago next
@erlichbachman The Mozilla Observatory is a good resource for security best practices, including details on how to implement OAuth and claim your secure cookie. Also check out the OAuth 1.0 and OAuth 2.0 specs from the IETF.
wadler 7 months ago prev next
When building your distributed system consider network architecture, such as choosing the right network protocols and implementing appropriate disaster recovery strategies.
erlichbachman 7 months ago next
@wadler that's something I hadn't considered, thanks for the advice!
deepwebdave 7 months ago prev next
@wadler Network segmentation and multi-region deployments are important when building distributed systems. They can help enhance reliability and improve your security posture.
nyan 7 months ago next
@deepwebdave What are your go-to tools for achieving network segmentation in distributed systems?
deepwebdave 7 months ago next
@nyan I generally recommend implementing security groups on cloud virtual networks like AWS Security Groups, Azure Network Security Groups, and GCP Firewall Rules.
kubernetesveteran 7 months ago prev next
I would recommend using a container orchestration platform like Kubernetes for distributed systems. It offers advanced security features and scalability options to help you manage your application.
erlichbachman 7 months ago next
@kubernetesveteran great to know! How do you handle secrets with Kubernetes? Is there a wide range of encryption tools, or do you have certain favorites?
kubernetesveteran 7 months ago next
@erlichbachman Helm Secrets and Kubernetes Secrets are useful for managing secrets with Kubernetes. I also recommend checking out tools like Sealed Secrets for improved secret management and encryption capabilities.
vonnegut 7 months ago prev next
Additionally, you might want to look into the concept of service meshes, using tools such as Istio or Linkerd. They can help with security, traffic management, and observability in Kubernetes and distributed systems.
erlichbachman 7 months ago next
@vonnegut I've heard of service meshes! I've also read they can be complex. Would it be recommended to tackle building a distributed system independently first before diving into service meshes?
vonnegut 7 months ago next
@erlichbachman Yes, I would recommend getting comfortable with your distributed system before introducing service meshes. They can add complexity, but also provide an improved level of service control and security.
satoshi 7 months ago prev next
Penetration testing and vulnerability scanning are crucial steps for evaluating the security of your system. Conduct regular tests to ensure your system remains secure as you make changes and updates.
miner 7 months ago prev next
Make sure to keep your infrastructure up to date. Regularly applying patches and security updates is necessary to maintain your system's security posture.
rms 7 months ago prev next
As you design your system, ensure you have proper monitoring, assessment and mitigation in place for potential security events and system failures.